Cybersecurity consultants don’t really care about your security #fb

﻿I don’t get why privacy advocates and cybersecurity consultants are at each other throats. These two concepts are not complementary, not mutually exclusive. More secure code leads to better protection of the data being handled by that code.

No I lie. I do get why.

Cybersecurity consultants are almost never peddling methods to detect insecure code, but rather they want to enable an attribution system. After all, selling one off analysis solutions doesn’t make any money and you have to spend a lot of money to employ smart people to make better tools. However, government contracts to develop and maintain hardware and software that would be large ISPs would be mandated to purchase, now that’s the money maker.

So I wish all these “cybersecurity experts” would change their job titles to something like “Internet attribution expert”. Then they would be easier to laugh at.

Never mind that attribution is a strategy designed to enable deterrence. Then these cybersecurity guys would like you to forget that deterrence really only works against nations that have something to lose (think Cold War). Deterrence doesn’t work against criminal organizations, lone wolf hackers (increasingly rare), or terrorist groups because these groups reside among civilians or hide out in countries where they are outside the reach of American law. Will a President order a Predator strike on a known hacker in Kazakhstan who has 11 million credit card numbers? I don’t think so. Bombs don’t work well against these small groups.

Not that deterrence worked all that well during the Cold War either. Look at all the people who died in the Korean War, Vietnam War, Soviet invasion of Afghanistan, etc etc. We just avoided nuclear war but millions of people still died. That’s not the kind of deterrence I want to see.

Furthermore, attribution will only work if the attack is detected. The cybersecurity experts don’t tell you that there is no known way to tell when your system has been compromised by a well designed piece of malware. You can’t trust the output your system is returning, so you need to bring in a known good tool. (Please define known good. How do you know if your upstream is secure?) A well designed piece of malware would hide so well that the victim would not realize anything has changed. And by then, you have already lost the game. Your systems are compromised and you can never trust them again.

The ONLY thing that will help in this fight to keep your data safe is to have better engineering, code, and interfaces. This means hiring well-educated CS majors (most of whom reside in expensive first world countries) and not outsourcing crap to China and India. (I’ve seen Indian code, and it is mostly crap. Kid you not.) It means paying for classes to keep your programmers up to date with the latest in software security. It means developing and enforcing security policies. It means funding and rewarding white-hat hackers to find vulnerabilities in systems. It means funding research into automatically detecting vulnerabilities.

This is expensive and the rewards are not very visible. But it’s the only correct path forward.